Social Engineering – A Psychologist’s Perspective

It’s become more and more difficult for companies and businesses to safeguard their confidential data from the ever increasing rise in malicious attempts at security breaches. Southern suburbs psychologist Anita recently discussed the relatively new technique that has been utilized by hackers and others trying to breach the electronic defenses of businesses. Social Engineering which we touched on in our previous article has become one of the most effective means of gaining covert access to the confidential data stored on the servers and networks of companies.

For many years hackers have attempted to breach the network security measures employed by big companies and corporations by using port scanners and network scanners, pinging away at IP addresses on the network for hours searching for flaws and weaknesses in the system. Virtually every weak, new vulnerabilities are discovered in operating systems and server technologies. These are known in the computer hacking underworld as 0-day exploits and are extremely valuable to hackers. Valuable because they can be exploited for as long as they remain undetected. At which point the software manufacturer or distributor will make a “patch” available that essentially fixes the problem. In many cases system administrators do not pay enough attention to these updates and it’s possible for the vulnerability to remain unmatched for months or even years.The psychology behind the concept of social engineering is so simple which is why it is proving to be the most successful means of penetrating company data security measures.

Anita Prag, psychologist southern suburbs Cape Town explains that social engineering relies on the inherent willingness in human beings to help each other. The social engineer will literally engineer a scenario that allows them to get their target, often a low level employee, off balance. The psychology behind the use of social engineering is brilliant. We explained an example in one of our earlier posts where the social engineer researches the target and is familiar with their likes and dislikes and what their particular emotional vulnerabilities might be. Another example would be that of a handsome, confident social engineer approaching a shy receptionist of a large corporation. The research will have been done in advance, creating a psychological profile of the intended target. The receptionist in this case will have been identified as being shy, single and insecure. Psychologically insecure and somebody that would easily be flattered by an attractive man needing help from her. The end goal is fairly simple. To get the target to insert a flash drive into the company computer, this flash drive would contain a harmless looking PDF file and malicious code that is automatically executed once the flash drive is inserted into the computer. The social engineering aspect is the aim of bypassing the training that the employee may have received regarding this type of approach to a security breach.

In order to protect sensitive data and valuable company intellectual property, it is important for companies and businesses to continue to educate their employees and raise awareness levels of the dangers imposed by socially engineered attempt at a security breach. These attempts are so successful because they are well crafted psychological scenarios that if implemented correctly will almost always deliver results.